Azure AD PowerShell and how to use it

Hi again,

I’m preparing these days to start a series of presentations around Greece, in order to present to Microsoft Partners how easy is to use and start selling and implementing Office 356 and Microsoft Azure. We’ll visit most major cities and we’ll grab the opportunity to demonstrate what are the most common scenarios that could sell to the Greek small businesses. One of the topics that I’m going to present is Azure AD PowerShell.

Before going on, I would like to point out that PowerShell is something that you should care and learn, even if you plan to use it for your on-premises infrastructure. I’ve already did a Skype Meeting last year, showing to the audience how easy is to use PowerShell to automate your day-to-day Active Directory admin tasks. You can watch the entire presentation here, although it’s related to the on premises AD environment. In case you feel that you still need to learn PowerShell, you can start with this MVA free course that can be found here: https://mva.microsoft.com/en-US/training-courses/getting-started-with-powershell-30-jump-start-8276?l=r54IrOWy_2304984382

In case you start to use Azure AD, PowerShell can still be very useful, but if you need to use it, you have to install it first locally on your computer. No, your existing PowerShell app cannot be used to manage your Azure AD. Keep in mind that there are 2 versions of Azure Powerhell: the “simple” Azure PowerShell and the Azure AD Powershell. I suggest that you should download and install both, as soon as you start dealing with Azure. So you have to download Azure AD PowerShell from here https://msdn.microsoft.com/en-us/library/jj151815.aspx and follow the instructions. Practically, first you have to install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click Run to run the installer package.

  Now that you have everything installed, you can start using it. First, you have to connect to your Azure subscription. You can do this by running the cmdlet:

connect-msolservice
and you’ll get a prompt to enter your username and password for the Azure AD subscription that you’re using, similar to the following picture:

 

As soon as you’re connected, you could type the following command to get a list of all your AD users:

Get-MsolUser –All

In case you’ve implemented a B2B you can get a list of all these external users by typing:

Get-MsolUser -All | where {$_.UserType -eq “Guest”} because these users are called Guest accounts in a B2B implementation.

In case you have configured some user accounts to belong to specific departments, you could search for these accounts using the cmdlet:

Get-MsolUser -All | where {$_.Department -like “*Sales*”}  so to get user accounts that belong to the Sales dept.

But what if you want to find users that have a specific admin role? You can type:

Get-MsolRole  and you’ll get a list of all the roles:

if you want to get information about a specific role, let’s say the Company Administrator, you could type:

$companyAdminRole = Get-MsolRole -RoleName “Company Administrator” to declare the role as a variable and then type: 

Get-MsolRoleMember -RoleObjectId $companyAdminRole.ObjectId , so you’ll get a list of users with the specified role:

Let’s now say that we want to check if a user is a member of a group. We need first to create the following PowerShell function:

function IsMemberOfGroup($groupName, $userPrincipalName) { 

$group = Get-MsolGroup -SearchString $groupName -All

  if($group -eq $null){

Write-Output $group

Write-Host “Group not found”

return

}

  if($group.count -gt 1){

Write-Host “More than one matching group found”

return

}

  $user =Get-MsolUser -UserPrincipalName $userPrincipalName

  if($user -eq $null){

Write-Host “User not found”

return

}

  $groupMember = Get-MsolGroupMember -GroupObjectId $group.ObjectId -All | where {$_.ObjectId -eq $user.ObjectId}

  if($groupMember -eq $null){

Write-Output $false

}else{

write-Output $true

}

}

and then run the cmdlet:

IsMemberOfGroup “GroupName” userprincipalname as you can see in the following screenshot:

In this case the user is not a member of a group.

Do not forget that you can use Azure AD PowerShell to create user accounts, using a cmdlet similar to the one below:

New-MsolUser -UserPrincipalName kostas@partnersdemo.onmicrosoft.com -DisplayName “Kostas Ioannidis” –
FirstName “Kostas” -LastName “Ioannidis” -Password ‘P@ssw0rd’ -ForceChangePassword
$false -UsageLocation “GR”

And then we could create a group:

New-MsolGroup -DisplayName “Azure team” -Description “Azure team users”

In case you want to add multiple users using a bulk import process, you could first create a csv file, like the one presented below:

Then you simply type the following cmdlets that will read the contents of the file and will create the required users:

$users = Import-Csv C:\Users.csv
$users | ForEach-Object {
New-MsolUser -UserPrincipalName $_.UserName -FirstName $_.FirstName -LastName $_.LastName –
DisplayName $_.DisplayName -Title $_.JobTitle -Department $_.Department -Country $_.Country
}

Thanks and I hope you’ve found this post useful.